The worm's probable target is said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant. Although Siemens has stated that the worm has not caused any damage, on November 29, Iran confirmed that its nuclear program had indeed been damaged by Stuxnet.
Russian digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60% of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyberwarfare.
History
The worm was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009. It contains a component with a build time stamp from 3 February 2010. In the United Kingdom on 25 November 2010, Sky News reported that it had received information that the Stuxnet worm, or a variation of the virus, had been traded on the black market. The name is derived from some keywords discovered in the software.
Affected countries
A study of the spread of Stuxnet by Symantec showed that the main affected countries as of August 6, 2010 were:
Country Infected computers
China 6,000,000 (unconfirmed) (October 1)
Iran 62,867
Indonesia 13,336
India 6,552
United States 2,913
Australia 2,436
United Kingdom 1,038
Malaysia 1,013
Pakistan 993
Finland 7
Germany 5 (September)
Operation
The complexity of the software is very unusual for malware, and consists of attacks against three different systems:
1. The Windows operating system,
2. An industrial software application that runs on Windows, and
3. A Siemens programmable logic controller (PLC).
The attack requires in-depth knowledge of industrial processes and an interest in attacking industrial infrastructure. These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.
Windows infection
Stuxnet attacked Windows systems using four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm). It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet. The number of zero-day Windows exploits used is unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.
The malware has both user-mode and kernel-mode rootkit capability under Windows, and its device drivers have been digitally signed with the private keys of two certificates that were stolen from separate companies, JMicron and Realtek, that are both located at Hsinchu Science Park in Taiwan. The driver signing helped it install kernel-mode drivers successfully and remain undetected for a relatively long period of time. Both compromised certificates have been revoked by VeriSign.
Two websites were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these websites have subsequently been taken down as part of a global effort to disable the malware.
Step 7 software infection
Overview of normal communications between Step 7 and a Siemens PLC
Overview of Stuxnet hijacking communication between Step 7 software and a Siemens PLC
Once installed on a Windows system, Stuxnet infects project files belonging to Siemens' WinCC/PCS 7 SCADA control software (Step 7), and subverts a key communication library of WinCC called s7otbxbx.dll. The purpose of this subversion is to intercept communications between the WinCC software running under Windows and the target Siemens PLC devices that the software is able to configure and program when the two are connected via a data cable. In this way, the malware is able to install itself on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system.
The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.
PLC infection
Siemens Simatic S7-300 PLC CPU with three modules attached, each of which can control 31 slave variable-frequency drives
The entirety of the Stuxnet code has not yet been understood, but among its peculiar capabilities is a fingerprinting technology which allows it to precisely identify the systems it infects. Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or centrifuges.
Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system. When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed. It also installs a rootkit that hides the malware on the system—the first such documented case on this platform.
Removal
Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft patches for security vulnerabilities and prohibiting the use of third-party USB flash drives Siemens also advises immediately upgrading password access codes.
The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. Despite speculation that incorrect removal of the worm could cause damage, Siemens reports that in the first four months since discovery, the malware was successfully removed from the systems of twenty-two customers without any adverse impact.
Control system security
Main article: Control system security
Prevention of control system security incidentssuch as from viral infections like Stuxnet, is a topic that is being addressed in both the public and the private sector.
The U.S. Department of Homeland Security National Cyber Security Division operates the Control System Security Program (CSSP). The program operates a specialized Computer Emergency Response Team (ICS-CERT), conducts a biannual conference (ICSJWG), provides training, publishes recommended practices, and provides a self-assessment tool.
Several industry organizations and professional societies have published standards and best practice guidelines providing direction and guidance for control system end-users on how to establish a Control System Security management program. The basic premise that all of these documents share is that prevention requires a multi-layered approach, often referred to as "defense-in-depth". The layers include policies & procedures, awareness & training, network segmentation, access control measures, physical security measures, system hardening, e.g., patch management, and system monitoring, anti-virus and IPS. The standards and best practices also all recommend starting with a risk analysis and a control system security assessment. The purpose is to assess the current level of risk and the size of the gap between that risk and what is tolerable. The other purpose of an assessment is to identify the vulnerabilities and develop a prioritized program to eliminate or minimize them.
In response to these concerns, cyber security standards and certifications programs such as ISA 99 and SASecure have been developed to evaluate and certify the security of industrial automation products.
Automation, SCADA and control system developers often use off-the-shelf equipment, software and protocols, integrating and configuring these in different ways for a variety of applications. This "common" approach can make it easier for malware to bring down some vulnerable systems. However, proprietary automation, SCADA and control system developers are able to provide a completely bespoke solution, using new protocols and hardware/software/firmware solutions yet unknown to developers of malware.
Speculations about the target and origin
Symantec estimates that the group developing Stuxnet would have been well-funded, consisting of five to ten people, and would have taken six months to prepare. The Guardian, the BBC and The New York Times all reported that experts studying Stuxnet considered that the complexity of the code indicates that only a nation state would have the capabilities to produce it.
Israel, perhaps through Unit 8200, has been speculated to be the country behind Stuxnet in many media reports and by experts such as Richard Falkenrath, former Senior Director for Policy and Plans within the United States Department of Homeland Security. Some have also referred to several clues in the code such as a concealed reference to the word "MYRTUS", believed to refer to the Myrtle tree, or Hadassah in Hebrew. Hadassah was the birth name of the former Jewish queen of Persia, Queen Esther. However, it may be that the "MYRTUS" reference is simply a misinterpreted reference to SCADA components known as RTUs (Remote Terminal Units) and that this reference is actually "My RTUs"–a management feature of SCADA. Also, the number 19790509 appears once in the code and might refer to the date "1979 May 09", the day Habib Elghanian, a Persian Jew, was executed in Tehran. "Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party." According to the New York Times, a former member of the United States intelligence community speculated that the attack may have been the work of Unit 8200. Yossi Melman, who covers intelligence for the Israeli daily newspaper Haaretz and is at work on a book about Israeli intelligence, also suspected that Israel was involved. He noted that Meir Dagan, head of the national intelligence agency Mossad, had his term extended in 2009 because he was said to be involved in important projects. Additionally, in the past year Israeli estimates of when Iran will have a nuclear weapon had been extended to 2014. "They seem to know something, that they have more time than originally thought”, he added.
Additionally, in 2009, a year before Stuxnet was discovered, Scott Borg of the United States Cyber-Consequences Unit (US-CCU) had suggested that Israel might prefer to mount a cyber-attack rather than a military strike on Iran's nuclear facilities. According to Borg this kind of attack could involve disrupting sensitive equipment such as centrifuges using malware introduced via infected memory sticks: "Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed ... Israel certainly has the ability to create Stuxnet and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is Israel's obvious weapon of choice." There has also been speculation on the involvement of NATO, the United States and other Western nations. It has been reported that the United States, under one of its most secret programs, initiated by the Bush administration and accelerated by the Obama administration, has sought to destroy Iran's nuclear program by novel methods such as undermining Iranian computer systems. However, solid evidence pointing to Western (and specifically American) involvement has been scarce.
Though Israel has not publicly commented on the Stuxnet attack, it has since confirmed that cyberwarfare is now among the pillars of its defense doctrine, with a military intelligence unit set up to pursue both defensive and offensive options.
Symantec has reported that the majority of infected systems were in Iran (about 60%),which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility. Ralph Langner, a German cyber-security researcher, called the malware "a one-shot weapon" and said that the intended target was probably hit, although he admitted this was speculation.
There are reports that Iran's uranium enrichment facility at Natanz was the target of Stuxnet and the site sustained damage because of it, causing a sudden 15% reduction in its production capabilities. There was also a previous report by WikiLeaks disclosing a "serious nuclear accident" at the site in 2009. According to statistics published by the Federation of American Scientists (FAS) the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred. On November 23 it was announced that uranium production at Natanz in Iran temporarily ceased altogether because of a series of major technical problems. According to a report by the Institute for Science and International Security (ISIS) Stuxnet is "a reasonable explanation for the apparent damage" at Natanz and may have destroyed up to 1000 centrifuges (10 percent) in the months before January 2010. The authors conclude:
"The attacks seem designed to force a change in the centrifuge’s rotor speed, first raising the speed and then lowering it, likely with the intention of inducing excessive vibrations or distortions that would destroy the centrifuge. If its goal was to quickly destroy all the centrifuges in the FEP, Stuxnet failed. But if the goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily."
The ISIS report further notes that Iranian authorities have attempted to conceal the breakdown by installing new centrifuges on a large scale.
Iranian reaction
The Associated Press reported that the semi-official Iranian Students News Agency released a statement on 24 September 2010 stating that experts from the Atomic Energy Organization of Iran met in the previous week to discuss how Stuxnet could be removed from their systems. According to analysts, Western intelligence agencies have been attempting to sabotage the Iranian nuclear program for some time.
The head of the Bushehr Nuclear Power Plant told Reuters that only the personal computers of staff at the plant had been infected by Stuxnet and the state-run newspaper Iran Daily quoted Reza Taghipour, Iran's telecommunications minister, as saying that it had not caused "serious damage to government systems". The Director of Information Technology Council at the Iranian Ministry of Industries and Mines, Mahmud Liaii, has said that: "An electronic war has been launched against Iran... This computer worm is designed to transfer data about production lines from our industrial plants to locations outside Iran."
It is believed that infection originated from Russian laptops belonging to Russian contractors at the site of Bushehr power plant and spreading from there with the aim of targeting the power plant control systems. In response to the infection, Iran has assembled a team to combat it. With more than 30,000 IP addresses affected in Iran, an official has said that the infection is fast spreading in Iran and the problem has been compounded by the ability of Stuxnet to mutate. Iran has set up its own systems to clean up infections and has advised against using the Siemens SCADA antivirus since it is suspected that the antivirus is actually embedded with codes which update Stuxnet instead of eradicating it.
According to Hamid Alipour, deputy head of Iran's government Information Technology Company, "The attack is still ongoing and new versions of this virus are spreading." He reports that his company had begun the cleanup process at Iran's "sensitive centres and organizations. We had anticipated that we could root out the virus within one to two months, but the virus is not stable, and since we started the cleanup process three new versions of it have been spreading," he told the Islamic Republic News Agency.
Although he did not mention Stuxnet by name, on Monday November 29, 2010, Iranian President Mahmoud Ahmadinejad for the first time admitted that malicious software code had damaged Iran's centrifuge facilities. "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," Mr. Ahmadinejad told reporters at a news conference, Reuters reported. "They did a bad thing. Fortunately our experts discovered that and today they are not able [to do that] anymore.
On the same day two Iranian nuclear scientists were assassinated when bombs were attached to their cars in Tehran. Wired speculated that the assassinations could indicate that whoever was behind Stuxnet felt that it was not sufficient to stop the nuclear program.
No comments:
Post a Comment